My sources used for fact checking are several of your own staff members. Where errors have been made, they have been immediately corrected, and the wiki history is visible for whatever analysis you wish to do on that.

You have done *nothing* to back any of your arguments, and continue to make a fool of yourself with baseless claims and your continuing dialog of "just trust us".

Even if it does not reflect the current system (which it appears to do), the past doesn't just walk away.

Click to expand...

I'm not going to have an argument. The information that you may have is 7 months old and does not reflect the current workings of the mcbans system.

Hi. I'm concerned for my server's security (changing passwords right now).
I received an E-mail, which was in my spam folder, from the domain [email protected] (IP being 176.31.206.194), consisting of the following message:

[email protected][email protected] 7 (1 day ago)
to me
Dear user who's information was definitely NOT compromised.,
We are writing to inform you that there was absolutely NO breach in our "extensive" security measures that could allow your personal information and all the API keys to be leaked, because of this we DO NOT suggest you change your mcbans.com password. This breach DID NOT affect anyone. If your Minecraft password is the same as any password you use for MCBans you should not give a fuck. Our server is protected by an expired version of Norton Antivirus from 2007 and thus is absolutely hacker-proof.

For further support go to support.mcbans.com and open a ticket or contact us on IRC at irc://irc.esper.net:5555 on #mcbans or #yesyourinformationwascompromised. You may verify that your information WAS NOT COMPROMISED by searching for it in our uncompromised database which we have temporarily mirrored publicly for verification purposes:

As you should see, your information is still in our uncompromised database and thus has not been stolen.

We would like to thank you for your continued support and use of mcbans.com and we apologize for any inconvenience this has not caused. Rest assured that if there ever were a breach of our systems, the kind Nigerian prince who funds our operation would be more than willing to offer you 7 figure restitution if you can just help him out a bit. Hell, he's probably about to make you this offer just because he loves you.

I hope you all want Viagra because our associates have plenty to sell.

Remember:
- Firestar likes cocks.
- Denial is the best security measure ever and lying through your teeth is the truest display of integrity.
- Also, we have never ever been hacked, if someone claims otherwise they are bullshitting you.
- And to re-iterate once more, Firestar likes cocks.

be as be may, your sources are biased. and information that you may have is 7 months old and does not reflect the current workings of the mcbans system.

Click to expand...

As true as this might be, after each attack on an organization's security (both successful or unsuccessful) normally preludes to an improvement in the security of said organization. From the information present to everyone, it seems that the entire McBans system was literally "trusted" to one individual (who helped with said security) as proved by his ability to lock out people who are actually McBans staff. This is also compacted by fears of well known griefers (which McBans is mostly used to block) such as, example, Doridian not only assisting with McBans but possibly having access to the system itself (which he or others could use to attack servers that put their trust in McBans).

This is worrying, not only to me but any other user out there that is using, or may use in the future, McBans. What improvements can we see come from this? How will you protect your users in the future? How can you guarantee an incident like these never occurs again? I think this are questions on everyone's mind.

As true as this may be, after each attack on an organization's security (both successful or unsuccessful) normally preludes to an improvement in the security of said organization. From the information present to everyone, it seems that the entire McBans system was literally "trusted" to one individual (who helped with said security) as proved by his ability to lock out people who were actually McBans staff. This is also compacted by fears of well known griefers (which McBans is mostly used to block) such as Doridian not only assisting with McBans but possibly having access to the system itself (which he or others could use to attack servers that put their trust in McBans).

This is worrying, not only to me but any other user out there that is using, or may use in the future, McBans. What improvements can we see come from this? How will you protect your users in the future? How can you guarantee an incident like this never occurs again? I think this are questions on everyone's mind.

Click to expand...

The system is not trusted to any one person, and the user in question is no longer involved with mcbans or its equipment. And he would not have done anything he had threatened because he did not have access to those services.

As TkTech has stated, he is in no way affiliated with MCBouncer (or any other ban systems that I know of). He hasn't even logged into the Reddit servers, so not connected in that way either. Please don't make unfounded accusations.

As TkTech has stated, he is in no way affiliated with MCBouncer (or any other ban systems that I know of). He hasn't even logged into the Reddit servers, so not connected in that way either. Please don't make unfounded accusations.

Click to expand...

The information is question was from 7 months ago from an older version of mcbans, and does in no way reflect the operations of the current mcbans.

As true as this might be, after each attack on an organization's security (both successful or unsuccessful) normally preludes to an improvement in the security of said organization. From the information present to everyone, it seems that the entire McBans system was literally "trusted" to one individual (who helped with said security) as proved by his ability to lock out people who are actually McBans staff. This is also compacted by fears of well known griefers (which McBans is mostly used to block) such as, example, Doridian not only assisting with McBans but possibly having access to the system itself (which he or others could use to attack servers that put their trust in McBans).

This is worrying, not only to me but any other user out there that is using, or may use in the future, McBans. What improvements can we see come from this? How will you protect your users in the future? How can you guarantee an incident like these never occurs again? I think this are questions on everyone's mind.

Click to expand...

You should come on HF sometime, Crashdoom is a active griefer and a active MCbans staff member. While there may appear to be a conflict of interest there, it's not true, it's about the same as me being both a server admin and a griefer, and countless others like me or Crashdoom. Being a griefer doesn't mean that you don't care about stopping them, I highly doubt anyone on the current MCbans stafflist is going to abuse their powers.

You should come on HF sometime, Crashdoom is a active griefer and a active MCbans staff member. While there may appear to be a conflict of interest there, it's not true, it's about the same as me being both a server admin and a griefer, and countless others like me or Crashdoom. Being a griefer doesn't mean that you don't care about stopping them, I highly doubt anyone on the current MCbans stafflist is going to abuse their powers.

I should note that this thread has gotten significantly off topic. I would suggest taking such a conversation about a reddit post to a more appropriate forum (Offtopic), not to mention the quick argument this thread has become.

If this thread continues to break Bukkit rules and remains as it is now I will lock it. Please do not make me do that.

I'm amazed that people still don't do background checks when they hire others and are going to give them any kind of access or control over critical services (directed at nobody in particular). I actually read about Z. coding for Terraria a week ago and couldn't believe it. People do NOT change, as long as what they do is successful.

MCBans has a very poor history of whom they employ or trust with their project, which (at least that's how it got explained to me once) is the result of people knowing each other or considering each other friends. I really hope these events also change the employment process for the sake of those that rely on the service. Or the other way around, cause server operators to distrust services like McBans by default.

I'm amazed that people still don't do background checks when they hire others and are going to give them any kind of access or control over critical services (directed at nobody in particular). I actually read about Z. coding for Terraria a week ago and couldn't believe it. People do NOT change, as long as what they do is successful.

MCBans has a very poor history of whom they employ or trust with their project, which (at least that's how it got explained to me once) is the result of people knowing each other or considering each other friends. I really hope these events also change the employment process for the sake of those that rely on the service. Or the other way around, cause server operators to distrust services like McBans by default.

A hashing function is fundamentally a one-way operation. Weaknesses in these functions can be found, and exploited however, but this assumes that the password was not modified before hashing (this is normally known as 'salting').

Provided the salt used by mcbans is secure, I don't forsee anyone being able to turn the hash back into a real password easily. But nothing is impossible, and if you used the same password on mcbans as anywhere else (especially your linked email account) you really should change it soon.

Edit: Which leaves me to ask, do you believe the salt to have been discovered, or is it still secure?

That being said, they could have been more transparent to their users, like saying that the salt was in the compromised DB. I'm not going to judge you for having the salt in the same DB as the passwords, but that should have been said in the first post.

Also, I noticed that you don't use SSL on the MCBans login page, as far as I can see. Interesting.

That being said, they could have been more transparent to their users, like saying that the salt was in the compromised DB. I'm not going to judge you for having the salt in the same DB as the passwords, but that should have been said in the first post.

Also, I noticed that you don't use SSL on the MCBans login page, as far as I can see. Interesting.

Click to expand...

SMF as well as other PHP scripts all have their salts in the DB. MCBans.com was not hacked it was the old forums.mcbans.com server, which we have changed hosts.

I would like a clarification on something else. In your original post you say:

On 01/01/2012, MCBans became aware of a security breach on a server which contained our users’ personal information. The incident involving protected user information was the theft of a backup of mcbans.com which was made between December 2010 and April 2011 and was hosted on a remote server which then served as forums.mcbans.com.

Click to expand...

Now in your reply to me, you said that the forums.mcbans.com server was the one hacked, implying it was those forums hacked. But in your OP, you said it was a backup of MCBans.com. So I am guessing it was the latter, but this is conflicting information.

Also, can I ask why it took a week to make a statement anyways?

In a separate note: I'm becoming weary of who to trust these days. RSA, MCBans, who is next, Google?

My mcbans account locked me out, Im assuming this is why.
I also received an email explaining that the server was NOT breached, of which i was informed is fake.
The sender's email was [email protected]. If you would like the email, Here it is:

Spoiler(Move your mouse to the spoiler area to reveal the content)Show SpoilerHide Spoiler

[email protected]Dear user who's information was definitely NOT compromised., We are writing to inform you that there was absolutely NO breach in our "extensive" security measures that could allow your personal information and all the API keys to be leaked, because of this we DO NOT suggest you change your mcbans.com password. This breach DID NOT affect anyone. If your Minecraft password is the same as any password you use for MCBans you should not give a fuck. Our server is protected by an expired version of Norton Antivirus from 2007 and thus is absolutely hacker-proof. For further support go to support.mcbans.com and open a ticket or contact us on IRC at irc://irc.esper.net:5555 on #mcbans or #yesyourinformationwascompromised. You may verify that your information WAS NOT COMPROMISED by searching for it in our uncompromised database which we have temporarily mirrored publicly for verification purposes: http://ddoscom.in/dongs.sql As you should see, your information is still in our uncompromised database and thus has not been stolen. We would like to thank you for your continued support and use of mcbans.com and we apologize for any inconvenience this has not caused. Rest assured that if there ever were a breach of our systems, the kind Nigerian prince who funds our operation would be more than willing to offer you 7 figure restitution if you can just help him out a bit. Hell, he's probably about to make you this offer just because he loves you. I hope you all want Viagra because our associates have plenty to sell. Kind Regards, The MCBans Badministration Totalitarian Regime and Führer Firestar Remember: - Firestar likes cocks. - Denial is the best security measure ever and lying through your teeth is the truest display of integrity. - Also, we have never ever been hacked, if someone claims otherwise they are bullshitting you. - And to re-iterate once more, Firestar likes cocks. IRC logs extracted from a server that was NOT hacked: 03:56 <REDACTED> So when are you gonna send the maillist? 03:56 <REDACTED> I need it right now 03:56 <Firestarthe> Wait a sec 03:57 <REDACTED> Okay 03:58 <Firestarthe> Here you go, LINK REDACTED 03:58 <REDACTED> Thanks 03:59 <REDACTED> Enjoy the bitcoins w

Click to expand...

Spoiler(Move your mouse to the spoiler area to reveal the content)Show SpoilerHide Spoiler

Now in your reply to me, you said that the forums.mcbans.com server was the one hacked, implying it was those forums hacked. But in your OP, you said it was a backup of MCBans.com. So I am guessing it was the latter, but this is conflicting information.

Click to expand...

AFAIK there were SQL dumps on that machine.

Why? there can be several reasons for that, with one it being a cheap option to use as off-site backup.

At the time, we were unaware of some of the more specific details regarding the attack and the data which was compromised. Now that the immediate threat is over and our damage report is complete, we have decided to release all the relevant information on what happened during the attack.

I would like a clarification on something else. In your original post you say:

Now in your reply to me, you said that the forums.mcbans.com server was the one hacked, implying it was those forums hacked. But in your OP, you said it was a backup of MCBans.com. So I am guessing it was the latter, but this is conflicting information.

Also, can I ask why it took a week to make a statement anyways?

In a separate note: I'm becoming weary of who to trust these days. RSA, MCBans, who is next, Google?

Click to expand...

they are 2 separate servers, so mcbans.com server was not hacked, the forums.mcbans.com server was, which housed the mcbans.com site pre-april 15th

I would like a clarification on something else. In your original post you say:

Now in your reply to me, you said that the forums.mcbans.com server was the one hacked, implying it was those forums hacked. But in your OP, you said it was a backup of MCBans.com. So I am guessing it was the latter, but this is conflicting information.

Also, can I ask why it took a week to make a statement anyways?

In a separate note: I'm becoming weary of who to trust these days. RSA, MCBans, who is next, Google?